Tag Archives: Crime

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Phishing For a Scapegoat

It’s somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL’s investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a “coordinated attack” and a “cyberattack” as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making “approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate.” Meanwhile this AP article quotes Mason’s memo to employees:

The assault appeared “to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions” in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs – including some of the world’s leading nuclear research labs – have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers “launched” a coordinated “major attack” on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China’s computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it’s not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don’t know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you’ve got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes “China” is a great excuse for all sorts of incompetence and inefficiency, and “sophisticated cyber attack” is just another way of saying “sorry, we haven’t got a clue about all this Internets stuff.”

Oak Ridge Speared in Phishing Attack Against National Labs

A Fatwa Against SMS Scams

Indonesia’s Islamic council of ulemas, MUI, has concluded their session with the issuance of the nineteen fatwas, or legal opinion concerning Islamic Law. Contrary to what the non-Muslim world thinks, a fatwa is not a sort of death sentence, although in certain circumstances and for some people they can be. Most are mere clarifications on where Islam, or that country, or sect, stands on a particular issue. The 19 fatwas in this case were about some controversial issues — a much debated anti-pornography law (a good thing, MUI says) — and the less controverial — such as “It is forbidden to recieve prizes via SMS.”

Now, on first blush this may seem somewhat odd. Why is such an august body troubling itself with pronouncing whether it’s OK to receive prizes via your cellphone? And as far as I know no further explanation is given for the reason, or why they’re discussing it. But actually, it’s a good thing, and here’s why. Indonesia is rife with scams — I think that’s why I love monitoring scams so much — and SMS is no exception. The most common one is a message that claims to be from a cellular operator saying that you’ve won a prize. All you need to do is to call a given number and register for your prize.

Of course, the number given to call doesn’t look anything like the cellular operator’s number — it’s often located in a remote suburb, where businesses rarely venture — and the source number doesn’t look very kosher either. Still, I’ve tried ringing a couple of these and they’re usually along the lines of either requesting your full bank details and PIN number plus faxing your ID card (presumably to empty your account instead of filling it) or else telling you, Nigerian scam-like, that you have to pay a registration fee before collecting your winnings. Similar scams have been discovered in China and Malaysia.

I somehow doubt that MUI had this in mind when they declared SMS prizes haram. But if it stops a few gullible folk falling for the scam, it’s probably a good thing.

Playing the Software Pirates at Their Own Game

In the last post I prattled on about how Microsoft et al didn’t get it when it comes to dealing with piracy. So what should they do?

I don’t know what the answer is, but I’d like to see a more creative approach. After all, these pirates have an extraordinary delivery mechanism that is much more efficient than anything else I’ve seen. Why not try an experiment whereby a user who buys counterfeit software, either knowingly or unknowingly, has six months’ grace period in which to ‘activate’ a legitimate version? This could be done online by a key download and a credit card. No big software downloads — prohibitive in a country where Internet speeds are glacial — and no shipping (time-consuming, and often not possible from most suppliers). Instead, a downloaded widget would scour the program the user wants to ‘activate’, check its version and integrity (I’m not talking values here, I’m talking software) and install whatever patches are necessary (hopefully done without need for a full upload.) After that, the software is legit.

Software vendors would argue that this encourages piracy. I would argue: if the user can’t buy a legitimate version of your software in the country they live in, either online or offline, should they just not use your software? Or

Secondly, I would argue that this approach is not far removed from the shareware try-before-you-buy approach whereby users get to play with software for free for 30 days or so before buying. Of course, if they want to, the user could just not pay and continue using the software. But I suspect that they weren’t the kind of customer who was going to pay anyway, so you can hardly count them as lost business.

Lastly, it may be possible to use this approach to disrupt the economics of the pirate software network by embracing the shareware model. Instead of restricting distribution of your product, you flood the market with shareware versions of your software, allowing users a grace period in which to try out the software. If users can find trial copie of OneNote or PhotoShop or whatever free in every computer shop they visit, why would they bother buying a dodgy pirate copy that may or may not work? Sure, the free version needs paying for at some point, but that’s the point. The piracy market exists in part because people don’t have access to legitimate software — certainly not the range of legitimate software — in these places.

OK, that’s not always true. There will always be pirates, and there will always be people who buy from pirates, even if the legitimate software is available next door. But I suspect a lot of people who buy pirate software buy it to experiment, to try out software. Indeed, someone living in a place like Indonesia is likely to be familiar with many more software programs than someone living in a non-pirate-infested country. It’s not that these people want this software desperately, nor that they would buy it all full price if they had to. They buy it because the price is so low, they may as well buy it and try it. Do they keep it installed? In most cases, probably not. But the calculation for Microsoft et al should be: How many of these people would buy this software if, after trying it, they liked it?

Finding the answer to that question will give you an idea of the real losses Microsoft and co are incurring in lost business. It should also make them realise that not doing a decent job of making their software readily available in a place like Indonesia — at a price that reflects the purchasing power of the local consumer — is creating this highly efficient, but highly parasitical economy in pirated software. If they can reach their customers through that economy, or bypass it with widely available shareware versions of their programs — then they may stand a chance.

The Tilted Software Piracy Debate

Software piracy is a tricky topic, that requires some skepticism on the part of the reporter, though the media rarely show signs of that in their coverage. Here’s another example from last week’s Microsoft press conference in Indonesia, one of the prime culprits when it comes to counterfeit software:

JAKARTA (AFP) – Software piracy is costing the Indonesian economy billions of dollars each year and is stymieing the creation of a local information technology industry, a Microsoft representative said.

There is some truth to these statements, but it’s not really what Microsoft is interested in. First off, is it really the Indonesian economy that’s suffering because of piracy? One could argue the Indonesian economy is largely built on pirated software, as a kind of subsidy (like gasoline, which was until recently heavily subsidized.)

Secondly, when did Microsoft ever support the creation of a “local information technology industry”? That’s not their job — and I don’t blame them — but why hide behind this kind of argument? (Interestingly, there’s a lively Linux development community in Indonesia, but I’m not sure that’s what Microsoft is talking about here).

Some 87 percent of computer software on the market in Indonesia in 2005 was pirated, Microsoft Indonesia’s Irwan Tirtariyadi said citing a study from the Business Software Alliance, an organisation representing manufacturers.

That’s probably about right. It’s huge. It’s hard to find a company that doesn’t use pirated software. You can buy pretty much every program ever written, and I don’t know of a single person who uses a computer and who doesn’t buy pirated software. This is not to condone it, but I also only know of about half a dozen shops in a city of 12 million people which actually sell legal software. And forget buying online: Most companies won’t ship to Indonesia.

Lax law enforcement and widespread corruption contributed to Indonesia clocking in with the fifth highest rate of software counterfeiting in the world, he said, after Vietnam, Ukraine, China and Zimbabwe. “I’ve heard when police come to a shop (selling pirated software) it is closed. Basically information is leaking and this is an indication of the quality of law enforcement in action,” Tirtariyadi said.

This is part of the problem, it’s true. The malls are full of shops openly selling pirated software, often on the ground floor near the entrance, with policemen patrolling by. When a raid is planned, everyone knows about it, the shops quietly shut, cover their wares in tarpaulins and keep their heads down for a day or two. (Sometimes it’s hard to tell whether the imminent raid is from the police or some Islamic group cracking down on the counterfeit DVD stores, which often sell software too.)

Tirtariyadi told a gathering of foreign reporters that if piracy dropped by just 10 percent, it would add 3.4 billion dollars to the economy, according to figures cited by the International Data Corporation.

Could someone please explain to me how that figure came about? To me it sounds suspiciously as if the argument is based on a false premise: That everyone who buys pirate software would pay full price for legitimate software if there was no alternative. Let me think about that: $3 for brand new software — often a collection of software — against $50–500 for the same thing, in a country where half the population earn less than $2 a day. I don’t think so.

Counterfeiting also inhibited an “inventive culture” and the development of a strong local information technology (IT) industry here, he said. “Some students like to create new software but three months later they find it’s pirated,” he said.

True, there is definitely an inhibiting factor. I wrote a year or so ago about a guy developing a machine translation program which wasn’t bad, but which required him to spend at least half his time developing anti-piracy features in the software. But I still think this is a disingenuous argument. Let’s face it: Microsoft (and Adobe, and all the other BSA big boys) are mainly interested in quashing piracy of their products and building up their market share; I don’t see much sign of Microsoft actually nurturing this “local IT industry”.

Indonesia, Southeast Asia’s largest economy, has less than 100 IT companies, whereas neighboring Singapore, with a far lower rate of piracy, has between 400 to 800 such companies, he added.

This is not a useful comparison. Singapore is a highly developed country and one of the world’s technology hub. Though, interestingly, it’s not really a locally creative industry, with the exception of a couple of big names.

All this makes me realise that Microsoft et al still don’t get it. Piracy is massive; they’re right. But you don’t deal with it by sponsoring misleading press conferences and well-telegraphed police raids.

What’s Safe?

Another example of why you can’t really trust software to tell you whether a website is dangerous or not. The Register reports that a Trusted search software labels fraud site as ‘safe’:  

Digital certificate firm GeoTrust’s launch of a search engine with built in trust features this week has been marred by the classification of a phishing site as genuine. Powered by Ask Jeeves, GeoTrust TrustWatch search aims to protect users against fraudulent behaviour and phishing attacks by giving web sites a verification rating. It’s a laudable aim, but the classification of a recently created phishing site as “verified as safe” raises serious doubts about the effectiveness of the technology. Such incorrect classifications create a false sense of security that can only play into the hands of would-be fraudsters.

As I’ve explained elsewhere, it’s more dangerous to offer a service that claims to warn you about phishing–related and other dodgy websites if you can’t guarantee 100% success, as it merely lulls a user into a false sense of security. Another reason why these things won’t work is the false positive, which EarthLink found to its (temporary) cost.